Security researcher warns of power company customers' passwords being stored in the clear, software provider responds with lawyer-letter

Follow Us

SEDC is an Atlanta-based company that provides back-ends for utility companies; a security researcher discovered that the company stored his password in the clear. The company's products have more than 15,000,000 users, whose logins and passwords are potentially also stored in plaintext. When the researcher alerted the company about this, the company ignored them, then denied that there was any problem, then demanded that the researcher not communicate about this except to SEDC's general counsel.

The responses from SEDC general counsel Mark Cole split hairs over the security implications of storing unencryted passwords, insisting that because this was not prohibited by PCI-DSS, an industry regulation governing storage of customer billing information; and because logging in would not reveal billing information, there was no problem.

The security researcher who discovered the password problem has received assistance from the Electronic Frontier Foundation (disclosure: I am a consultant to EFF).

Cole eventually sent the researcher an email that implied that the company had reformed its password handling, but with a great deal of worrying ambiguity.

Storing passwords in the clear is an industry worst-practice. Because so many people re-use passwords, password breaches are a useful source of data for "credential stuffing" attacks on other sites; if SEDC or its customers suffer a breach, they could unleash millions of passwords that could be used to compromise the users of its services.

So is the situation "fixed"? It's unclear. SEDC's counsel—who did not respond to Ars request for an interview—gave as little technical information as possible during the entire 120+ day saga with X. "In 2019, it's ridiculous that vendors are replying to security researchers via general counsel, not a bug bounty program," Cardozo noted. Cole's final correspondence with X is both careful and cagey. It says, in part:

I wanted to let you know SEDC has changed the way our software handles “forgotten password” requests for the payment portal, and we have disclosed the change to all our Customers. We also have disclosed this change and the history of your communications of which we are aware—with SEDC and our employees, with some of our Customers, and with social media generally—in detail to our Board of Directors, which is comprised of a dozen of our Customer-Members. They do not believe any further “disclosure” by SEDC is needed or appropriate.

Given that there has been no PCI violation nor any indication of third party access to anyone’s PII (in fact, the plain-text password at issue does not enable such access), it is unclear what “disclosure” you think should be made, much less under what authority you think such a disclosure would be required.

Mark Cole, General Counsel for SEDC

What Mr. Cole did not say is that "the passwords are now encrypted," let alone that "they are encrypted now, using a strong hash, with cryptographic salt unique to each record."

Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.

Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product.

For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy […]

The field of data analytics can get intimidating, even for business professionals who constantly rely on it. But at its heart, its purpose is to simplify. To take mounds of information and distill their insights into a single clear picture. Currently, the go-to software for painting that picture is Tableau. And if you want to […]

If you’re in the market for a stable, durable camera fully suited for first-person video, there’s a good chance that you’re the adventurous type. So why settle on a familiar name like GoPro? The DJI Osmo Action 4K HDR Camera checks off all the same boxes on the action cam checklist as the GoPro 4K […]

The market for web developers is wide open these days. If only we could say the same about the pathway to that career. If you’re not already an experienced coder, it can be difficult to get things rolling. A four-year college degree or technical school? Sure, if you’ve got the money. What about web tutorials? […]